10 Days Of Hacking, Day 7: The Xbox 360

January 21, 2014

The Xbox 360 was Microsoft’s second home console, and the first one to be widely acceptable, but there’s probably nothing about its background story that you don’t already know, so lets cut to the point.

Along with the PS3, the Xbox 360 was a really tough machine to hack, but it still fell victim to hackers, specially due to a big time mistake made by Microsoft. Before I get to that, let me show you some important 360 hacks that, while I do not care for them, they are actually pretty cool.

If we have learned something from previous consoles is that there are a few different ways of hacking that can be applied to almost all of them: tricking the BIOS or OS into either ignoring the security or thinking it has passed, tricking the reader into telling the BIOS/OS that the security measures have been met, tricking a legit game into loading our own code, and many other.

The 360 is no strange from at least a few of these options, and I’m gonna do a quick sum up of some of interesting hacks before I get to my main one.

FOOLING THE DVD DRIVE

For consoles with optical discs, the disc reader is an essential and important sector in preventing piracy and unlicensed games. It’s simple: the game disc has something special that no other disc has and the laser drive is customized to be able to tell this difference, essentially letting the underlying BIOS or OS know if the disc is legit or not. Hardware makers can use special and closed machinery to craft game discs in a way that allows the system to differentiate them from standard discs and drives, and since this information is usually closed and the hardware/process involved in creating the discs is strictly locked behind doors, it is almost impossible for outsiders to replicate the structure a legit game disc has to be able to bypass the protection.

So we are facing the problem that we cannot craft our own discs to be just like legit ones, we have two options at this point if we want to achieve disc-based hacks: either we hack the drive so that it ignores the disc protection and always tells the system that it’s booting a licensed game, or we hack the system itself so it ignores the disc drive telling it that the disc is not legit, in either way, we should end up with the system being fooled one way or the other.

On most older systems this had to be done on the system itself due to the fact that the disc drive controller was on the same motherboard as the rest of the system, where the BIOS/OS is, but there were a few exceptions like the Dreamcast or the GameCube, which had separate motherboards for the system and the disc drive. In the case of the Dreamcast there was no need to hack any of them as another, better, software-based hack was found, in the case of the GameCube there were mostly modchips to fool the system itself, until Xeno-GC came out, which was a great piece of hardware hack: it had a very easy installation process and allowed for the same functionality as any other BIOS modchip. Why am I talking about GameCube hacks in a 360 hacking page? well aside from filler, it is needed to understand one of the first 360 hacks. This GameCube hack falls into the category of a hack that forces the disc drive to ignore the protection on the disc and send the “incorrect” signal to the system that the disc was “ok” to boot, when in reality we were booting a completely unlicensed game.

Now we understand these hacks work and that some 6th gen system separated main system board from disc drive board, essentially giving us the opportunity to choose which one of those to hack, but modern machines have an extra layer of security. In modern systems, specially the PS3 and 360, we have a hybrid combination at hand. We certainly don’t have one motherboard for both system and disc drive, but the two motherboard we have are tied together so that you can’t easily separate them without the system complaining. This is called married boards.

The way married boards work is simple: the motherboard has a special key that is unique to each system, and the disc drive board has the same exact key stored in it. So you have the same key but in two different places, at this point you can guess that the system simply compares them. So, we have the added extra security of not being able to replace the disc drive, at least not the motherboard, which is just there to annoy people.

So how can we come up with a hack on the disc drive? simple: connect it to your PC.
They didn’t even bother making their own proprietary ports for the 360, they use standalone SATA ports that every other PC disc drive uses, and there’s something we know about PC’s disc drives: we can flash the firmware.
Thanks Microsoft, you pretty much allow us to connect the 360 disc drive on our PC and lets us flash it, awesome job!

Ok we have covered this hack, but there’s another one that I will just merely point it out.

Much like with the new PS3 ODE, the Xbox 360 has gotten a special type of modchip. This modchip takes control of the connections between the system and the disc drive, inhibiting some of the features of the disc drive and replacing it with its own. This modchip essentially emulates the disc drive and allows you to mount ISO games and maybe some homebrews.
This modchip doesn’t require any soldering and does its job well, but I won’t talk much about it as I do not consider it to be either a clever hack nor a stupid mistake.

Joint Test Action Group

JTAG was a group formed in 1985, before then it was really complicated to test whether complex circuits were functioning correctly once assembled completely. It was common to find solder points not well connected, or ones that shouldn’t be connected at all, faulty units, or other problems that could lead to device malfunction, in some cases these could be just one out of a thousand, in some cases it could be a common problem due to a bug in either the development of the circuit or its manufacturing, but all having something in common: it was hard to debug.

JTAG sought to change this by creating an industry standard for debugging and fixing critical parts of the system, ensuring the completed device was functional and operational once completely manufactured and allows the device maker to easily track down problems that could affect too many units.

On modern systems the JTAG port is used for software debugging, CPU debugging, and most importantly, to flash to NAND and other writable devices.
These JTAG ports are of course available in most, if not all, modern systems, and they would give us almost complete control over the device, or at least give us critical information about the device itself.
One of the many features of JTAG, as I mentioned, is the ability to write to NAND flash and/or other internal writable media. If we can gain access to where the system OS is located, we can attempt to modify it, thus being able to achieve another type of hack: fooling the system into ignoring the disc drive’s warning that the game is legit, or simply fooling the system into booting our own code located away from the disc drive.
But can we do this with JTAG? long answer: NO, JTAG ports are usually only used in the factory and are disabled completely by the manufacturer when the device is ready to be sent to the shelves, specially if your device is as close as gaming devices are. Short answer: THEY FORGOT TO DISABLE THE JTAG PORT!

I never, ever, ever thought a company would be so stupid to do this, they have a port in their console that allows them, and pretty much anyone, to mess around with the internals of the console, a port that is normally used for debugging and writing the firmware, and they keep this port enable for everyone to mess around with!

CONCLUSION
This hack, if we can even call it a hack, it’s a mayor design flaw, is the main reason I decided to talk about the Xbox 360, as I consider it to be a mayor f*ck up on behalf of Microsoft that should have never happened had they decided to put some brains into what they were doing, but hey, Sony’s no different! don’t miss the next episode where I will talk about numbers and what Sony defines as “random”.